[lxc-users] More secure container

Jared Folkins jfolkins at gmail.com
Tue May 9 15:47:49 UTC 2017


This email is timely as I was researching this (again) last night. It
resulted in me taking a look through the lxd demo server code and configs
which I think do a very reasonable job at allowing untrusted users access
to containers.

https://github.com/lxc/lxd-demo-server

My final thought was that if the community felt there was a bit more to
add, we/I could fork the project and call it lxd-demo-server-paranoid with
some extra security configuration primitives sprinkled on top.

I haven't defined what the "extras" would be, but if the idea sounds
reasonable, I'd love some ideas.

Jared

On Tue, May 9, 2017 at 8:22 AM, T.C 吳天健 <tcwu2005 at gmail.com> wrote:

> Hi ,
>
> Its said privileged container is unsecured . For example, if a user in the
> container (suppose it's running a service toward the public) hack the
> system with some kind of root kit.
>
> I am thinking of building a more secure container.  The first idea is to
> use unprivileged container;  Second is apply cgroup to limit viewing of
> some sensitive /dev files, and any recommendation?
>
> Summary
> -use unprivileged container
> -cgroup to limit viewing of some /dev files
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170509/3a37621b/attachment.html>


More information about the lxc-users mailing list